Bug 431221

Summary: Root can't write to /proc/*/{oom_adj,sched}
Product: [Fedora] Fedora Reporter: Michal Schmidt <mschmidt>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Schmidt 2008-02-01 15:56:23 UTC 
Description of problem:
Root is denied write access to files in /proc/<pid>/ which should be writable 
by him, even from an unconfined_t shell.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8.noarch
selinux-policy-targeted-3.0.8-81.fc8.noarch
kernel-2.6.23.14-107.fc8.x86_64

How reproducible:

Steps to Reproduce:
Login as root. Let's choose a confined process, e.g. hald.:
# cd /proc/$(/sbin/pidof hald)
# ls -l oom_adj
-rw-r--r-- 1 root root 0 Feb  1 16:12 oom_adj
# echo 1 > oom_adj 
bash: oom_adj: Permission denied


Actual results:
Write access is denied, an AVC message is generated:

avc: denied { write } for comm=bash dev=proc egid=0 euid=0 exe=/bin/bash 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=oom_adj pid=5920 
scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 
subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file 
tcontext=system_u:system_r:hald_t:s0 tty=pts3 uid=0


Expected results:
Root should be allowed to tune the processes' writable parameters 
in /proc/<pid>/

Additional info:
The bug prevents the latencytop utility from working correctly with SELinux in 
enforcing mode (latencytop is going through package review: 
https://bugzilla.redhat.com/show_bug.cgi?id=431047 ).
Comment 1 Daniel Walsh 2008-02-02 05:12:01 UTC 
Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Daniel Walsh 2008-03-05 22:17:26 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.